简体   繁体   English

在Spring Security中,如何查找会话是否已因多次登录而无效?

[英]In spring security, how to find if the session has been invalidated by multiple logins?

When the user logs in with the same userid from another computer, without logging off from the first, the default behaviour is that the first session is invalidated. 当用户使用相同的用户名从另一台计算机登录而没有从第一台计算机注销时,默认行为是第一个会话无效。 Now, when the user goes back to the first computer , I want to tell him that his session has been invalidated because he has logged on from some other computer. 现在,当用户返回第一台计算机时 ,我想告诉他,由于他已经从其他计算机登录,因此他的会话已失效。 How can I do that ? 我怎样才能做到这一点 ?

I have thought of two approaches : 我想到了两种方法:

  • Allow multiple logins, and when the user logs in from the second computer, add a boolean flag to all the sessions (whose ids are obtained from the sessionRegistry ) and when the user goes back to login from the first computer, check whether the current session has the boolean flag as true. 允许多次登录,并且当用户从第二台计算机登录时,向所有会话(其ID是从sessionRegistry获得的)添加一个布尔标志,并且当用户从第一台计算机返回登录时,请检查当前会话布尔标志为true。 If yes, invalidate the session, and send the user a message. 如果是,则使会话无效,并向用户发送消息。 This will be done in a CustomSuccessHandler . 这将在CustomSuccessHandler完成。

Flipside : Its probably not possible to obtain the session object via the session id (which is all what session registry provides) 缺点 :可能无法通过会话ID(这是会话注册表提供的所有功能)获取会话对象

  • Don't allow multiple logins, and when the user goes back to his first computer, somehow find out the reason for the session being invalidated. 不允许多次登录,并且当用户返回其第一台计算机时,会以某种方式找出导致会话无效的原因。 If its invalidated because of multiple logins, display the proper message. 如果由于多次登录而使其无效,则显示正确的消息。

Flipside : It doesn't seem possible to add invalidation reasons while invalidating a session, and I don't know how to access this information (if it exists) from the first computer Flipside :在使会话无效时似乎无法添加无效原因,并且我不知道如何从第一台计算机访问此信息(如果存在)

Don't allow multiple logins. 不允许多次登录。 You can easily achieve this using spring security. 您可以使用Spring Security轻松实现这一目标。

Add concurrent-session-control to spring security. concurrent-session-control添加到Spring安全性。

<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="false" expired-url="/jsp/invalidate.do"/> 
//you can also set expired-url to your custom invalidate page rather than create a mapping

Create custom requestMapping for invalidate user. 为无效用户创建自定义requestMapping。

@RequestMapping( value = "/invalidate.do", method = RequestMethod.GET )
    public String invalidate(HttpServletRequest request)
    {
       request.setAttribute("invalidate",true);
       return "login";
    }

Then your login page 然后你的登录页面

<c:if test="${not empty invalidate}">
<script type="text/javascript">
    alert("You have been Logged Out. Someone signed in using your account.");
</script>
</script>

Another way is to set your error-if-maximum-exceed to true ,so it will flag error if user tries to login into another session. 另一种方法是将您的error-if-maximum-exceedtrue ,因此如果用户尝试登录另一个会话,它将标记错误。

<security:session-management>
            <security:concurrency-control error-if-maximum-exceeded="true" max-sessions="1"/>
</security:session-management>

Then create a custom message in your message.properties 然后在您的message.properties中创建自定义消息

ConcurrentSessionControlStrategy.exceededAllowed=You have been Logged Out. Someone signed in using your account.

Hope it helps. 希望能帮助到你。

Links: http://codehustler.org/blog/spring-security-tutorial-form-login/ Maximum concurrent users in Spring Security 链接: http : //codehustler.org/blog/spring-security-tutorial-form-login/ Spring Security中的最大并发用户数

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring安全性:用户未通过身份验证时,会话无效 - Spring security: Session is invalidated when user isn't authenticated 测试人员登录和Spring Security - Tester Logins and Spring Security 在 spring security + spring boot 中禁用同一用户的多次登录 - Disable multiple logins for same user in spring security + spring boot 如果应用具有多个登录名(例如fb,google和网络服务登录名),则如何在android中管理Session - How to manage Session in android if an app has multiple logins like fb,google and web service login 在Spring Security中手动过期(无效)后,会话不会被销毁 - Session isn't destroyed just after being expired (invalidated) manually in Spring Security java.lang.IllegalStateException:getAttributeNames:会话在Spring安全性HttpSessionDestroyedEvent中已经无效 - java.lang.IllegalStateException: getAttributeNames: Session already invalidated in Spring security HttpSessionDestroyedEvent 如何检查现有会话是否无效? - How to check existing session is invalidated or not? 如何从多个服务器获得与Spring Security和Spring Session相同的会话 - How to get same session with Spring Security and Spring Session From multiple server 如何使用已用 java spring 加密的 node.js 解密文本 - How to decrypt text using node.js that has been encrypted with java spring security TextEncryptor Spring Security Config:AlreadyBuiltException:此对象已经构建 - Spring Security Config: AlreadyBuiltException: This object has already been built
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM